Hello!
On Fri, Jun 23, 2017 at 01:24:19PM +0000, Lukas Tribus wrote:
> Hello,
>
>
> > In nginx there is no native support for bcrypt passwords as
> > produced by Apache's htpasswd. On the other hand, nginx can use
> > all password schemes supported by crypt(3) on your OS. Many
> > operating systems do support bcrypt-encrypted passwords in
> > crypt(3), and if Apache's variant is not different from other
> > implementations, it would be enough to change the prefix in the
> > password hashes from Apache-specific $2y$ to the one supported by
> > your OS.
>
> Is it a good idea though to use a very CPU intense hash like bcrypt
> in an event-driven webserver?
>
> Bcrypt is intentionally slow, I assume having a lot of bcrypt
> protected HTTP transactions would block nginx causing it to slow
> down severely?
All password hashing schemes are intentionally slow. The goal of
password hashing is to prevent brute-force attacks even if hashes
are leaked. The question is how slow a particular hashing scheme
is, and if it is acceptable for a particular use case.
One of the bcrypt scheme main properties is that it allows to
control number of rounds, and thus control hashing speed. With
low number of rounds it is reasonably fast. For example, with 2^5
rounds (default used by htpasswd) it takes about 4 milliseconds
here on a test box:
$ time perl -le '$h = "foo"; for (1..1000) { $h = crypt($h,
q{$2b$05$foodfsadfdfsadfsadfalkjlkkjlkjlkjlkjlkjlkjlkjljklkjlk}); }; print $h;'
$2b$05$foodfsadfdfsadfsadfaleR/2BBLeLV.7NTWtyNRyAquSKRD9E4Sy
real 0m3.884s
user 0m3.880s
sys 0m0.001s
--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
